After writing some quick and dirty functions to runtime-read kernel memory (I did this by disabling SIP and getting kernel's port via processor_set_tasks workaround. Then just mach_vm_read_overwrite on addr + kslide), I did some tests to confirm everything was working fine. Reading from a kext base address (from kextstat) + kslide yielded 0xfeedfacf, so I am quite sure everything works.

I noticed that the paper's author uses a particular formula to calculate gMetaClass address for a specified class, the formula is tuned for ARM 32bit. I wasn't able to replicate this formula in OSX x86_64, so tried to come up with another method.

I am actually interested in IOHIDUserClient gMetaClass. A quick Hopper disassembly revealed that IOHIDUserClient (as well as other classes) have a particular method, ::getMetaClass(). So I found IOHIDUserClient::getMetaClass() method with Hopper, which disassembles to the following:

Hey! Thanks for the reply. I realized that I was indeed doing right, but it seems that the gMetaClass object structure doesn't follow the same structure as the iOS gMetaClass.Here's the dump of IOHIDUserClient's gMetaClass object in memory, byte by byte:

The size is stored at the end of the structure, before a bunch of zeroes that mark the end. But I can't seem to get anything useful by reading those pointers.Anyway, it looks like I can get all the infos I need (class name, size, parent's gMetaClass pointer) by disassembling the class constructor, the only thing that still bothers me is how to analyze and find all these informations with symbols stripped.I read around that I should find cross references of __ZN11OSMetaClassC2EPKcPKS_j, which is called by any IOKit constructor. Thing is: I don't know how to find these cross references. If you can provide even a starting point or some informations I would be so grateful! Thanks again!